British Romantic wit Alexander Pope had it right when he said: “Reason’s whole pleasure, all the joys of sense, lie in three words,—health, peace, and competence.” In today’s modern healthcare environment, health requires a whole different type of competence; we’ll only achieve peace of mind when we secure private patient information in an increasingly digital environment.
The American healthcare system is poised to undergo one of the most significant changes in its history. Electronic healthcare records have been on the agenda for some time, but with the recent change in the administration, modernizing the system has become a priority. President Obama has pledged to revolutionize the healthcare system using funds provided by the American Recovery and Reinvestment Act stimulus package Bill passed in February.
As soon as he came into office, Obama pledged to computerize the nation’s health records within five years. However, that carries significant challenges from an information security perspective. How is it going to happen, and who is going to protect our data as it does?
The core of the modernization initiative will be a Nationwide Health Information Network, which will connect a series of regional networks called Health Information Exchanges together across a broader backbone. The US Department of Health and Human Services is overseeing the system, and has commissioned 15 contractors to produce prototypes.
That initiative will hopefully take care of the communications infrastructure that will enable records to be exchanged between different parts of the country (so that, for example, a doctor in Florida could access the records of a retiree from Minnesota who is spending the winter in the Sunshine State). The Healthcare Information Technology Standards Panel, created by the American National Standards Institute, will take care of the format for electronic health records.
The Meaning of Privacy
Where do privacy and security lie in this massive modernization program? Dr Deborah Peel, a practicing physician who also founded non-profit special interest group Patient Privacy Rights, isn’t convinced that they have been given enough thought.
| "The Bush administration de-regulated the consumer protections across the board, and one of hte places where they did that was the HIPAA privacy rule." |
| Deborah Peel, Patient Privacy Rights |
There may be a legal definition of what privacy means in the US, but there isn’t a government-ratified one pertaining to health, she warns. “Congress has not set a definition of what that means, in the portion of the stimulus package that is about health technology,” she says. The National Committee on Vital and Health Statistics developed a definition in 2006, but the Department of Health and Human Services did not adopt it, she recalls.
But surely the Health Insurance Portability and Accountability Act (HIPAA) should provide some protection? Passed in 1996, the legislation is designed to provide some privacy for healthcare information. Entities covered by the legislation include healthcare providers, healthcare clearing houses, and health plans.
Title two of the Act focuses on preventing healthcare fraud and abuse, and entails five rules revolving around privacy, transactions and code sets, security, unique identifiers, and enforcement.
HIPAA’s privacy rule requires covered entities to disclose protected health information (PHI) to an individual within 30 days of a request, and they must also fix errors in that information when asked to. They must also tell individuals how that information is being used.
| "At present, Google and Microsoft have created very strong policies, and they are not covered by HIPAA, so patients have to trust those policies." |
| John Halamka, Harvard |
The Role of Security
The Security role is another significant one. It focuses on electronically held PHI, and mandates administrative, physical, and technical safeguards. These are many and varied, but include, for example, the requirement to adopt a rigorous set of privacy procedures, and the designation of a privacy officer. Covered entities should have a contingency plan for dealing with security breaches, and must protect their computer systems from intrusion. Encryption must be used when transmitting data over open networks.
Peel doesn’t feel that HIPAA offers consumers the protection that they deserve, however. “HIPAA eliminated the right to privacy,” she says. “The Bush administration de-regulated the consumer protections across the board, and one of the places where they did that was in the HIPAA privacy rule,” she says, arguing that a 2002 amendment eliminated the right of individuals to give their consent to healthcare providers wishing to share their information with others.
“They literally take the individuals out of it, and the decisions about when information will be used, and for what purposes, are in the hands of businesses,” she says. The amendment applies to ‘covered entities’, which applies to most businesses operating in the healthcare sector, she adds. “They totally turned HIPAA into a data miner’s dream.”
There is alternative legislation on the table, however. The Protect Patients and Physicians Privacy Act was introduced into the House of Representatives in May by Rep. Ron Paul (R-TX). It has been referred to the Committee on Energy and Commerce as well as the Committee on Ways and Means, as part of the long, arduous process to make a Bill law. If passed, the Act would reinstate some of the patient privacy rules that Peel says were cut out of HIPAA.
This may be true, but nevertheless there are some entities not covered by HIPAA that perhaps should be. In particular, there are some companies hoping to act as stewards for consumer health information that is not subject to the same rigorous controls that health plans face.
Google launched its Health service in April 2008, while Microsoft rolled out its Healthvault service in October 2007. The two services have similar goals: to help consumers store and manage their own health information, rather than leaving it purely in the hands of medical practitioners.
“Google Health is free to anyone, much like other Google products we offer, including Google News and iGoogle,” says Google, about its service. “This is just another step in helping us fulfill our mission to organize all of the world’s information and make it universally accessible and useful.”
The Benefits of Sharing
The potential benefits of these systems are enormous. They are connecting with networks of medical institutions such as pharmacies, making it possible for patients to pool their prescription and healthcare data into their own account managed on either Microsoft or Google’s servers. They can then choose who sees that information, and in some cases can make more informed searches about their healthcare questions.
“There is a way in which we can securely hold information about patients, giving them the ability to share their information, under their control, very explicitly”, says John Coulthard, director of healthcare and life sciences at Microsoft. “There is a cohort of individuals that want to search for healthcare information, learn about what it tells them, save that information, and then act upon it”.
| "People's health information will potentially be more at risk of being used for commercial and marketing purposes." |
| Deven McGraw, CDT |
That’s all well and good, but who is going to police these services? John Halamka, chief information officer and dean for technology at Harvard Medical School, who helped to develop the Google Health service, admits that it does not fall under HIPAA regulation. Although he says, the companies have been co-operative in agreeing to their own standards.
“At present, Google and Microsoft have created very strong policies, and they are not covered by HIPAA, so patients have to trust those policies,” he says.
However, Peel, who is trying to put together an evaluation system for privacy protection in healthcare information systems, says that only Microsoft replied when she invited several companies to contribute. Google didn’t get back to her, she says.
Commercial Activity
She is not the only person concerned over the safety of electronic health records within some of these privately owned services. “People’s health information will potentially be more at risk of being used for commercial and marketing purposes,” warns Deven McGraw, director of the health privacy project at the Centre for Democracy and Technology in Washington, DC. “The volume of that kind of activity will ramp up considerably in a health and information system that is all commercially run”.
| "There is a way in which we can securely hold information about patients, giving them the ability to share their information, under their control, very explicitly." |
| John Coulthard |
Such issues could become more problematic as these companies begin using their expertise in social networking tools to enhance the value of these healthcare records. Google has already launched a social networking function as part of its Health service, and it is unlikely to be the last (although it has vowed not to use advertising as part of its healthcare system). Microsoft executives have already talked about the benefits of such features.
The balance between security and usability is always a fine one, and in the case of healthcare it is particularly politically charged. On the one hand, the appeal of managing one’s own personal health information is obvious, as is the opportunity of plugging it into innovative services that can add value to it.
On the other hand, there is a need to protect patients’ personal information, both from commercially motivated cyber criminals, and also from special interests that could use those records for their own ends. Let’s hope that as we continue to modernize our systems, our privacy remains in good health.